OCR Loosens HIPAA Enforcement Amidst Coronavirus Pandemic

Let’s face it, there has not been much positive news lately surrounding the Coronavirus (“COVID-19”).  However, the Office For Civil Rights (“OCR”), the agency within the Department of Health and Human Services (“HHS”) that enforces the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy and Security Rules, announced several recent measures to allow health care providers avoid certain HIPAA penalties and sanctions amidst the COVID-19 pandemic.

There are several measures OCR/HHS has taken to lessen the regulatory burden of HIPAA for health care providers amidst COVID-19.  Here is the latest breakdown of important pronouncements and guidance set forth by OCR/HHS to help providers deal with COVID-19 and HIPAA compliance:

February 2020 – Bulletin #1 (HIPAA reminder):  OCR/HHS releases a Bulletin “HIPAA Privacy and Novel Coronavirus” (“Bulletin #1”) which merely reminds covered entities and business associates of the ways that patient information may be shared under the HIPAA Privacy Rule during an outbreak of infectious disease or other emergency situation.  HHS goes on to state in the Bulletin that “protections of the Privacy Rule are not set aside during an emergency.”

March 15, 2020 – Bulletin #2 (HIPAA limited waiver):  Despite its earlier Bulletin warning that HIPAA Privacy Rule protections remain intact, the OCR/HHS released another Bulletin that relaxes the Privacy Rule through a limited waiver:  “COVID-19 & HIPAA Bulletin:  Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency” (“Bulletin #2”).  In response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and Secretary of HHS, Alex M. Azar’s earlier declaration of a public health emergency on January 31, 2020, Secretary Azar exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).

This limited waiver became effective on March 15, 2020.  The limited waiver only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

Again, this waiver is quite limited, and the waiver only purportedly applies to hospitals that have enacted disaster protocols.  This limited waiver can be revoked at any time by the Secretary of HHS.

March 17, 2020 (HIPAA waiver for telehealth):  OCR/HHS announces enforcement discretion, effective March 17, 2020, waiving all potential penalties for HIPAA violations against covered entities that serve patients through telehealth communications technologies in an effort, presumably, to foster remote video communication products and telehealth services to patients during the COVID-19 pandemic.  The announcement came by way of a “Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency” (“Notification”) posted on OCR/HHS’ website.   This waiver of penalties and sanctions applies to all covered entities, not just covered hospitals pursuant to OCR/HHS’ previous bulletin mentioned above.

Surprisingly, this waiver applies not only to telehealth services provided to treat patients related to COVID-19, but also to ALL telehealth provided by covered entities for any reason during the COVID-19 public health emergency:

OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.  This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.  (emphasis added)

OCR/HHS provides a warning that this waiver of enforcement and penalties does NOT apply to communications that are public facing (i.e., Facebook Live, Twitch, TikTok, and similar video communication applications that are public facing), warning that these methods of communication should NOT be used by covered entities.  Rather, the enforcement waiver only applies to NON-PUBLIC FACING video or audio communications such as video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype.

Under this Notice, OCR/HHS also confirmed that it will not impose penalties against covered health care providers for the lack of a business associate agreement (“BAA”) with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.

However, despite this waiver for lack of a BAA, OCR/HHS points out in the Notification that covered entities may want to seek “additional privacy protections for telehealth while using video communication products” by using HIPAA-compliant vendors.  This is an indirect way of OCR/HHS encouraging covered entities to attempt to seek out vendors that are 1) HIPAA compliant and 2) that will enter into a BAA with the covered entity.  OCR/HHS even provides a list of vendors in the Notification that meet these two criteria, though OCR/HHS explicitly states that it does not endorse, certify or recommend these vendors, and that OCR/HHS has not reviewed the BAAs offered by these particular vendors:

  • Skype for Business
  • Updox
  • VSee
  • Zoom for Healthcare
  • me
  • Google G Suite Hangouts Meet

In all, despite the focus on meeting HIPAA Privacy and Security Rule requirements in Bulletin #1 amid COVID-19, OCR/HHS has loosened its enforcement through Bulletin #2 and the Notification.  These will certainly help providers deal with the pandemic more easily, without worry about HIPAA compliance in certain situations outlined above.

It is important to note that the COVID-19 related waivers provided by OCR/HHS should not be interpreted as a blanket waiver for providers and business associates to merely avoid all HIPAA Privacy and Security Rule compliance in these tough times.  Rather, the limited waivers are just that, limited in scope, with all other enforcement for HIPAA Privacy and Security Rule compliance remaining intact.